How to Apply CORS Policies to Vultr Object Storage Buckets

Updated on October 11, 2021
How to Apply CORS Policies to Vultr Object Storage Buckets header image

Introduction

Vultr Object Storage is compatible with a subset of the S3 API. See our compatibility matrix for details. This article explains how to apply a Cross-Origin Resource Sharing (CORS) policy to a Vultr Object Storage bucket. Linux and Mac users should follow the instruction for S3cmd. Windows users can use S3 Browser. The CORS policies in this article are examples and must be modified to suit your needs.

Use S3cmd on Mac and Linux

S3cmd is available for Mac and Linux from this download page. Learn how to configure s3cmd for Vultr Object Storage.

View CORS Policy

Use the info command to view the CORS policy for a bucket. If no policy exists, the result is CORS: none.

$ s3cmd info s3://example_bucket
s3://example_bucket/ (bucket):
   Location:  us
   Payer:     BucketOwner
   Expiration Rule: none
   Policy:    none
   CORS:      none
   ACL:       12345678: FULL_CONTROL

Add a CORS Policy

  1. Create an XML file named cors_rules.xml.

     $ nano cors_rules.xml
  2. Paste the following example.

     <CORSConfiguration>
     <CORSRule>
         <ID>Allow WebFont for example.com</ID>
         <AllowedOrigin>https://www.example.com</AllowedOrigin>
         <AllowedOrigin>http://www.example.com</AllowedOrigin>
         <AllowedOrigin>https://example.com</AllowedOrigin>
         <AllowedOrigin>http://example.com</AllowedOrigin>
         <AllowedMethod>GET</AllowedMethod>
         <AllowedMethod>HEAD</AllowedMethod>
         <AllowedHeader>*</AllowedHeader>
         <ExposeHeader>ETag</ExposeHeader>
         <MaxAgeSeconds>86400</MaxAgeSeconds>
     </CORSRule>
     </CORSConfiguration>
  3. Apply the policy with the setcors command.

     $ s3cmd setcors cors_rules.xml s3://example_bucket
  4. Use the info command to view the updated CORS Policy.

     $ s3cmd info s3://example_bucket
    
     s3://example_bucket/ (bucket):
        Location:  us
        Payer:     BucketOwner
        Expiration Rule: none
        Policy:    none
        CORS:      <CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><CORSRule><ID>Allow WebFont for example.com</ID><AllowedMethod>GET</AllowedMethod><AllowedMethod>HEAD</AllowedMethod><AllowedOrigin>http://example.com</AllowedOrigin><AllowedOrigin>http://www.example.com</AllowedOrigin><AllowedOrigin>https://example.com</AllowedOrigin><AllowedOrigin>https://www.example.com</AllowedOrigin><AllowedHeader>*</AllowedHeader><MaxAgeSeconds>86400</MaxAgeSeconds><ExposeHeader>ETag</ExposeHeader></CORSRule></CORSConfiguration>
        ACL:       12345678: FULL_CONTROL

Use S3 Browser on Windows

S3 Browser is available for Windows from this download page. Learn how to configure S3 Browser for Vultr Object Storage.

To view and modify a bucket's CORS policy:

  1. Select your bucket.

  2. Click Buckets.

  3. Click CORS Configuration.

    Screenshot of S3 Browser menu

  4. Paste your XML policy and click Apply.

    Screenshot of CORS configuration dialog

Click the remove policy link in the lower left to remove the policy. The Sample CORS Configurations link on this dialog links to a page with more information.

Example XML CORS Policies

A policy that allows hosting WebFonts on Vultr Object Storage might look like this, assuming you allow HTTP and HTTPS, for www.example.com and example.com.

<CORSConfiguration>
<CORSRule>
    <ID>Allow WebFont for example.com</ID>
    <AllowedOrigin>https://www.example.com</AllowedOrigin>
    <AllowedOrigin>http://www.example.com</AllowedOrigin>
    <AllowedOrigin>https://example.com</AllowedOrigin>
    <AllowedOrigin>http://example.com</AllowedOrigin>
    <AllowedMethod>GET</AllowedMethod>
    <AllowedMethod>HEAD</AllowedMethod>
    <AllowedHeader>*</AllowedHeader>
    <ExposeHeader>ETag</ExposeHeader>
    <MaxAgeSeconds>86400</MaxAgeSeconds>
</CORSRule>
</CORSConfiguration>

An XML CORS policy that allows PUT, POST, and DELETE from https://www.example.com and allows GET from anywhere might look like this:

<CORSConfiguration>
 <CORSRule>
   <AllowedOrigin>http://www.example.com</AllowedOrigin>

   <AllowedMethod>PUT</AllowedMethod>
   <AllowedMethod>POST</AllowedMethod>
   <AllowedMethod>DELETE</AllowedMethod>

   <AllowedHeader>*</AllowedHeader>
 </CORSRule>
 <CORSRule>
   <AllowedOrigin>*</AllowedOrigin>
   <AllowedMethod>GET</AllowedMethod>
 </CORSRule>
</CORSConfiguration>

More Information

To learn more about CORS and how to configure CORS policies, see: